5

I have the following:

postfix-2.10.1-6.el7.x86_64
cyrus-sasl-lib-2.1.26-17.el7.x86_64
cyrus-sasl-plain-2.1.26-17.el7.x86_64
cyrus-sasl-2.1.26-17.el7.x86_64

my postconf -n is:

   alias_database = hash:/etc/aliases
   alias_maps = hash:/etc/aliases
   command_directory = /usr/sbin
   config_directory = /etc/postfix
   daemon_directory = /usr/libexec/postfix
   data_directory = /var/lib/postfix
   debug_peer_level = 2
   debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd         $daemon_directory/$process_name $process_id & sleep 5
  html_directory = no
  inet_interfaces = all
  inet_protocols = all
  mail_owner = postfix
  mailq_path = /usr/bin/mailq.postfix
  manpage_directory = /usr/share/man
  mydestination = $myhostname, localhost.$mydomain, localhost
  newaliases_path = /usr/bin/newaliases.postfix
  queue_directory = /var/spool/postfix
  readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
  relayhost = smtp.dynect.net:25
  sample_directory = /usr/share/doc/postfix-2.10.1/samples
  sendmail_path = /usr/sbin/sendmail.postfix
  setgid_group = postdrop
  smtp_sasl_auth_enable = yes
  smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
  unknown_local_recipient_reject_code = 550

My /etc/sysconfig/saslauthd has:

SOCKETDIR=/run/saslauthd
MECH=pam
FLAGS=

My /etc/sasl2/smtpd.conf has:

pwcheck_method: saslauthd
mech_list: plain login    

when I try to login from a remote server I get the following error:

telnet 10.65.60.23 25
Trying 10.65.60.23...
Connected to 10.65.60.23.
Escape character is '^]'.
220 jira.radwarecloud.com ESMTP Postfix
EHLO local.domain.name
250-jira.radwarecloud.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
auth login
503 5.5.1 Error: authentication not enabled

what am I missing here??? Thanks! Elad.

edotan
  • 1,786
  • 12
  • 37
  • 57

4 Answers4

7

For enable SASL when receiving email via smtpd, you need to put this parameter

smtpd_sasl_auth_enable = yes

For enable SASL when sending email via smtp, you need to put this parameter

smtp_sasl_auth_enable = yes

In your postconf output above, you only put smtp_sasl_auth_enable not smtpd_sasl_auth_enable. That's why postfix complain with error

Error: authentication not enabled

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
  • you are correct. what I want is my postfix server to be able to relay emails to an external service (dynec) - I am able to authenticate if I try to access the external service straight from my postfix server. but when I try to connect to my postfix from a remote server I don't want to use authentication since it's coming from my private LAN. only the postfix should use authentication with the External service. is it possible to configure the postfix to receive emails with nu username and password and relay the email to an external email service with authenication? – edotan Aug 10 '15 at 06:58
  • I guess this is related with [this thread](http://serverfault.com/questions/711006/postfix-error-535-5-7-8-error-authentication-failed-authentication-failure), isn't it? Well, looks like you have attempted to configure SASL in smtpd, instead configure SASL in smtp :). Try to follow the tutorial from Dyn and try to send email via your postfix. – masegaloeh Aug 10 '15 at 07:52
  • I'm all over :-) I now use Dyn tutorial and it works from my postfix but I need my remote application to send to the postfix and postfix to relay it to Dyn. that doesn't work. I need to access the postfix with no password and postfix should authenticate with Dyn (this works). how do I combine a non authentication from remote user to postfix and authentication from postfix to DYN on the same main.cf? – edotan Aug 10 '15 at 08:32
  • Do your remote application has static IP address? If yes, try to add the application IP address in postfix `mynetworks` parameter. – masegaloeh Aug 10 '15 at 08:59
  • I have it. I see in the /var/log/maillog that the postfix is trying to relay the email to smtp.dynect.net but it gets the following message: "enabling PIX workarounds: disable_esmtp delay_dotcrlf for smtp.dynect.net[216.146.40.93]:25" "554 5.7.1 Relay access denied (in reply to RCPT TO command))" but if I try to telnet from the postfix to Dyn with the username and password. I receive the email with no problem. – edotan Aug 10 '15 at 09:06
  • In this comment thread, our discussion was very limited. Feel free to ask new question. Try to add *smtp.dynect.net* in [`debug_peer_list`](http://www.postfix.org/postconf.5.html#debug_peer_list) parameter to enable verbose log – masegaloeh Aug 10 '15 at 09:13
2

AUTH is not part of basic SMTP, but of ESMTP. So in order to use AUTH, you need to start the SMTP session with EHLO instead of HELO.

Tilman Schmidt
  • 3,778
  • 10
  • 23
  • Thanks but but I still get "503 5.5.1 Error: authentication not enabled" right after I type "auth login" – edotan Aug 09 '15 at 14:58
  • I edit my original question with the EHLO - you can see the ouput. Thanks! – edotan Aug 09 '15 at 15:01
  • EHLO output shows that the AUTH verb is not offered, which confirms masegaloeh's answer. You did not enable _incoming_ SMTP AUTH. (smtpd_sasl_auth_enable) So the "authentication not enabled" message is correct. If, as you stated in your comments on the other answer, you do not want _incoming_ authentication then you tested the wrong thing. Enabling _outgoing_ SMTP AUTH is a separate topic and you should open a separate question for it. – Tilman Schmidt Aug 10 '15 at 16:16
0

How to debug whether it's really the SELinux issue which is blocking these SMTP connections? You can use the getsebool command to check whether the httpd daemon is allowed to make an SMTP connection over the network to send an email.

getsebool httpd_can_sendmail

getsebool httpd_can_network_connect

This command will return a boolean on or off. If it's disabled, then you will see an output like this; getsebool: SELinux is disabled We can turn it on using the following command:

sudo setsebool -P httpd_can_sendmail 1

sudo setsebool -P httpd_can_network_connect 1

If you are running your code on a shared hosting provider and trying to connect to some third-party SMTP provider like smtp.pepipost.com or smtp.sendgrid.com and getting some errors like this.​

Aaron Le
  • 1
  • 1
-3

chown -R saslauth:saslauth /var/run/saslauthd/

  • 1
    You might be able to improve this answer by explaining why you think this will solve the problem and what relationship the error message has to the real problem. Also, should that path be `/run/saslauthd/`? That's what the supplied config file has. – Ladadadada Oct 28 '16 at 16:36